Monero-mining malware KingMiner’s evolving, research says

Cybersecurity firm Check Point Software Technologies have found that new crypto mining malware is ‘evolving’.

A research note published by the company on Thursday reported that analysts Ido Solomon and Adi Ikan identified a Monero-mining malware known as KingMiner. The malware, which was first seen in June, targets Microsoft servers in particular – usually those using IIS or SQL to mine Monero.

“The attacker employs various evasion techniques to bypass emulation and detection methods, and, as a result, several detection engines have noted significantly reduced detection rates.” Said the researchers. “Based on our analysis of sensor logs, there is a steady rise in the number of KingMiner attack attempts.”

Since its emergence in June this year, the researchers say the malware has spawned two new versions, which manipulate the files required in emulation to create a dependency that is “critical during emulation.”

It also implements a private mining pool with its API turned off, to prevent its activity being monitored, as well as a wallet that isn’t used in public mining pools, and private domains that make it difficult to find out which domains are being used.

Solomon and Ikan have also found additional placeholders that point to future developments that could make the malware even slipperier.

“KingMiner is an example of evolving Crypto-Mining malware that can bypass common detection and emulation systems.” The researchers added. “By implementing simple evasion techniques, the attacker can increase the probability of a successful attack. We predict that such evasion techniques will continue to evolve during 2019 and become a major (and more common) component in Crypto-Mining attacks.”